IIS Components

IIS Components

• 
  
  IIS relies heavily on a collection of DLLs that work together with the main server process, inetinfo.exe, to provide various capabilities.
• 
  
  Example: Server side scripting, Content Indexing, Web Based printing etc.
• 
  
  This architecture provides attackers with different functionality to exploit via malicious input.

IIS relies heavily on a collection of DLLs that work together with the main server process, inetinfo.exe, to provide various capabilities. Example: Server side scripting, Content Indexing, Web Based printing etc. This architecture provides attackers with different functionality to exploit via malicious input. On a IIS Web server with no service packs or hot fixes applied, there are way too many ways that a command shell can be invoked through inetinfo.exe, the IIS process. Yet, there is no reason for inetinfo.exe to be invoking a shell.

IIS consists of several components. These include:

• 
  
  Background Intelligent Transfer Service (BITS) server extension: BITS is a background file transfer mechanism used by applications such as Windows Updates and Automatic Updates.
• 
  
  Common Files: On a dedicated Web server, these files are required by IIS and must always be enabled.
• 
  
  File Transfer Protocol (FTP) Service: Allows the Web server to provide FTP services. This component is not required on a dedicated Web server. However, this may be enabled on a server that is only used for posting content, to support software such as Microsoft FrontPage® 2002 without enabling FrontPage 2002 Server Extensions. Because the FTP credentials are always sent in plaintext, it is recommended to connect to FTP servers through a secured connection, such as those provided by IPSec or a VPN tunnel.
• 
  
  FrontPage 2002 Server Extensions: Provides FrontPage support for administering and publishing Web sites. On a dedicated Web server, this must be disabled when no Web sites are using FrontPage Server Extensions.
• 
  
  Internet Information Services Manager: Administrative interface for IIS. This is to be disabled when the Web server is not administered locally.
• 
  
  Internet Printing: Provides Web-based printer management and allows printers to be shared by using HTTP. This component is usually not required on a dedicated Web server.
• 
  
  NNTP Service: Distributes, queries, retrieves, and posts Usenet news articles on the Internet. This component is not required on a dedicated Web server.
• 
  
  SMTP Service: Supports the transfer of electronic mail. This component is not required on a dedicated Web server.
• 
  
  World Wide Web Service: Provides Internet services, such as static and dynamic content, to clients. This component is required on a dedicated Web server. If this component is not enabled, then all subcomponents are not enabled.
  • 
    
    Active Server Pages: Provides support for Active Server Pages (ASP). Disable this component if none of the Web sites or applications on the Web server uses ASP.
  • 
    
    Internet Data Connector: Provides support for dynamic content provided through files with .idc extensions.
  • 
    
    Disable this component if none of the Web sites or applications on the Web server includes files with .idc extensions.
  • 
    
    Remote Administration (HTML): Provides an HTML interface for administering IIS. Use IIS Manager instead to provide easier administration and to reduce the attack surface of the Web server. This component is not required on a dedicated Web server.
  • 
    
    Remote Desktop Web Connection: Includes Microsoft ActiveX® controls and sample pages for hosting Terminal Services client connections. Use IIS Manager instead to provide easier administration and to reduce the attack surface of the Web server. This component is not required on a dedicated Web server.
  • 
    
    Server-Side Includes: Provides support for .shtm, .shtml, and .stm files. Disable this component if none of the Web sites or applications on the Web server includes files with these extensions.
  • 
    
    WebDav Publishing: Web Distributed Authoring and Versioning (WebDAV) extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage resources on the Web. Disable this component on a dedicated Web server.
  • 
    
    World Wide Web Service: Provides Internet services, such as static and dynamic content, to clients. This component is required on a dedicated Web server.

ISAPI DLL Buffer Overflows

• 
  
  One of the most extreme security vulnerabilities associated with ISAPI DLLs is the buffer overflow.
• 
  
  In 2001, IIS servers were ravaged by versions of the Code Red and Nimda worms which were both based on buffer overflow exploits.

ISAPI - Introduction

Internet Server Application Programming Interface (ISAPI) is an API developed to provide the application developers with a powerful way to extend the functionality of Internet Information Server (IIS). ISAPI allows web developers to develop custom code that provides additional web services. This custom code can either be implemented in an ISAPI filter, if the new functionality provides a low-level service, or conversely an ISAPI extension, if the new functionality provides a high-level service. Although ISAPI extensions are not limited to IIS, they are extensively used in conjunction with web servers.